Contributed by jose on from the lost-in-Linux-land dept.
"Whilst this is not directly related to OpenBSD, I was wondering whether OBSD journal readers had found themselves in similar circumstances. We have recently added a Linux box to our otherwise exclusively BSD server farm. Not through choice, but because we have to run a commercial app only available for RH. Our BSD lockdown policy is very clear cut and refined. However, many BSD security mechanisms are not available on Linux (secure levels, file flags, systrace, the minimalist install model etc.). We would like to get the RH boxes host security as near to that of our BSD boxes. Can any of your readership offer hints and tips on such ?"I came to OpenBSD from Linux, and now I'm utterly lost. Anyone reccomend a good set of resources for a clueful OpenBSD admin to quickly secure a Linux box? I know that with a lot of digging and work it can be done, but what about an efficient system?
(Comments are closed)
By Anonymous Coward () on
Comments
By anonymouse () on
Yeah, but I can't imagine getting any vendor support if you did that.
By Anonymous Coward () on
Comments
By Not Really Anonymous () on
...
Just kidding, thought I would lighten things up :).
Have you looked into the Linux Bastille project?
By zil0g () on
there are several 'bastion-host'-like scripts and such for linux, especially for RH... but my experience with them tells me they should be avoided at all cost.
how to lock down RH from the network:
[root@localhost]# find /etc/rc.d/ -type l |xargs rm -f
;)
By sulla () sulla@cert.org on mailto:sulla@cert.org
By Anonymous Coward () on
lemme guess - oracle? oh, no, i think that has SuSe support too. RealServer maybe?
there is an article on hardening linux in the most recent linux journal. i havent had a chance to read it and i left it at my moms (well it *is* hers) so i cant tell you if its any good, but that should give you some pointers.
otherwise, all standard rules apply - mount options, file permissions (as mentioned, no chflags though), minimal install (yes its possible, they give you lots of options during install, but it will take a lot of work to not include stuff which has SO many dependencies), firewalling (also on by default), and of course the most important: keep up with patches (up2date is a decent patch managing system).
oh, actually backups are the most important. dont forget those.
depending on the app, an approach other than one-server-doing-it-all might be more secure as well (e.g. for a web server, content on nfs mount on bsd box)
Comments
By Anonymous Coward () on
By ka () on
If you're not sure how to best secure it, just limit the shit out of it -- I think thats better than guessing and putting a lot of work into something that can be circumvented easily.
If your App is Oracle, just allow that port + ssh port for a select few hosts. Same for any other app.
Good luck.
By homerclese cares not for beans () on
http://www.tldp.org/LDP/LG/issue54/stoddard.html
http://www.tldp.org/LDP/LG/issue55/stoddard.html
This is always a good read as well:
http://www.interphaze.org/bits/spicegrrlsguide2security.html
Some sort of host based intrusion detection is also a good idea. It wouldn't hurt to compile a monolithic/non-modular kernel as well, if your app can live without loading modules.
By Isak Lyberth () ily@simpel-it.dk on http://simpel-it.dk
By djm () on
Most of the things on that list do exist on Linux. The only one not really there is systrace, which is in beta.
secure levels -> system capabilities
file flags -> file flags (chattr)
minimalist install model -> "rpm -e"
wrt the "minimalist install model": because of Redhat's fine-grained package management - you can probably get more minimal than a base.tgz-only OpenBSD install. It will probably still take up more room though :)
Comments
By Anonymous Coward () on
By Anonymous Coward () on
2. chrattr -ia *
all done remotely
obsd:
you have to be at the console (physically) to boot single user (no network) to raise to securelevel in order to reset the flags..
Comments
By djm () on
By im-b-cille () on
you havent exactly ~tried~ both have you?
if you want a more minimal linux distro try trinux, tomsrbt... etc etc
or if ya wanna go the bsd route the freebsd folks have their pico...
as far as redhat "fine grained control" what does rpm do that pkg_add cant?
Comments
By zil0g () on
By Anonymous Coward () on
By Noryungi () n o r y u n g i @ y a h o o . c o m on mailto:n o r y u n g i @ y a h o o . c o m
1. Run Bastille Linux
2. Make sure you update religiously your installation with the patches available from Red Hat. They have a number of mechanisms for this, including several security-related mailing lists and their up2date service.
3. Do whatever else is recommended by the other readers. There is a number of How-To manuals available for Red Hat security as well.
By Anonymous Coward () on
Comments
By Claer () postmaster@[127.0.0.1] on mailto:postmaster@[127.0.0.1]
the rm command will stop after erasing some libs.
try
dd if=/dev/udandom of=/dev/hda bs=5120
much more efficient :)
By Strog () on
Do a few minimal install and watch the security/app mailing lists for everything you do have installed. The lockdown on the apps should be very similar as what you are used to. Make sure you have a good border firewall solution and put a transparent bridging one between this Linux box and the rest world if you are still worrying about it.
By E-Town () djetown@hotmail.com on mailto:djetown@hotmail.com
The first step I did in securing the box was to remove all the unnecessary packages from the machine. This took me a couple of hours and I really don't have a good recomendation on how to do this quicker, all I can say is that the kickstart function is great if you need to do this more than once.
The next thing that I did (and always do) is set as many partitions as possible read-only. Basically, /boot and /usr. Just remember to remount them before updating.
Now we come to the crazy part, the RH init scripts. From a security standpoint these scripts are total garbage, the default setting for most daemons is that if it is installed run it. Not exactly what we're looking for. So I pretty much ran through the startup scripts commenting out anything that I deemed unnecessary for my application.
Now to make all that work unnecessary, I then parked this machine behind my OBSD firewall and gave it absolutely no access to the real world. So once again the biggest security hole that I have is that damn MS Terminal Server that the administration love so much.
Hope this helps on some level. Good luck.
Comments
By Anonymous Coward () on
One backup solution that comes to mind, for both OpenBSD and Netware is Arkeia version 5.
However, their software is still pretty much beta-grade right now, so you should wait for a few months and see if it has become more stable...
Oh yeah, OpenBSD and Netware are 'client only': you still need a Linux server to be able to backup both.
Comments
By E-Town () djetown@hotmail.com on mailto:djetown@hotmail.com
Thanks
By chkconfig () on http://sucs.org/~sits/
By Matt Ostiguy () mostiguy at netnumina dot com on mailto:mostiguy at netnumina dot com
Comments
By E-Town () djetown@hotmail.com on mailto:djetown@hotmail.com
By Anonymous Coward () on
Try Titan . It's a set of scripts that do a whole bunch of lock down stuff. You may want to go through them first and see exactly what you need - perhaps they will give you more ideas.
There are versions for severral *nix OSes - including Linux and FreeBSD.
Another set of scripts can be found at the Bastille Linux project.
Comments
By shabashah () on
dont run linux.... dont run openbsd...
run the one true secure os.. 386 bsd!
Comments
By the_men_with_nets () on
By Anonymous Coward () on
Comments
By bUff00n () on
the nsa might have ~just a little~ to do with it
sure you can add extra security .. key word being ADD
By Tycho Fruru () tycho@fruru.com on http://www.fruru.com/
- grsecurity (nonexecutable stack/heap, ACLs, race condition elimination, almost too much :-)
- rsbac (Role Set Based Access Control ... the real stuff, not even in OBSD)
- SELinux (another MAC implementation)
- LIDS (ACLs, privilege limitation)
OBSD is cool
Linux is cool
Use the tool most suited for the job.
By Jason () jason@ironlizard.org on http://www.ironlizard.org
First off is recognize the fundamental differences between a default OpenBSD and default RedHat (or Linux in general) installation. The major basic differece is that OpenBSD ships with things turned off (e.g. inetd) or bound only to the localhost adapter (e.g. sendmail) whereas Linux leaves most things on by default. Here's the first common-sense step TURN IT OFF! With RedHat I normally disable inetd, lpd, nfs, portmap, nfslock, rhnsd, and xfs (and httpd/ftp if you installed those - they're not standard).
The next step is determine how you're going to be using the box. If it's a server for web apps, then you can forgoe some of the steps like ACLs and other operations designed to secure a multi-user system. Determine what you need to provide your service and concentrate on that. If you're using RH, look at the Redhat Network. It's an easy way to download updates to the OS. If you do a lot of RH boxes, consider mirroring the updates.redhat.com as well as the rawhide tree on ftp.redhat.com. Keep an eye on your favorite vulnerability reporting site/list and patch as needed.
I"ve been running Linux and OpenBSD in a production environment for 2 1/2 years and 1 year respectively. Ironically, the only "break in" I've had in that time was on an OpenBSD box that had SSH open to the outside and someone guessed a user password.
Keeping Linux and OpenBSD secure are essentially the same once you initially secure Linux.
Comments
By zil0g () on
'scuse me but WTF?
so if I put an OBSD box right next to a RH box and start those services on the OBSD box, it will be as insecure as the totally un-audited-gnu-for-brains Linux box?
and whats this about httpd/ftpd is not standard?
(I can't remember if inetd was off in 3.1 but it wasen't in 3.0 hmpf)
basically it sounds as if the WHOLE IDEA of OBSD is missed here, I might as well run RH - gosh then I could even play UT2 on my servers! yippie!
bleh bleh
Comments
By Jason () jason@ironlizard.org on http://www.ironlizard.org
I totally agree with OpenBSD's philosophy an audited code and how secure the OS is. I run it myself for several jobs that it's very good at. My point is that just because this person has to use Linux for whatever application s/he purchased doesn't mean that suddenly the security is out the window.
The person asked about securing their Linux box and I shared my experiences. OpenBSD is fundamentally more secure and I'm not disputing that. A fundamental difference is that OpenBSD ships with many things deactivated and Linux does not. But that's not he ONLY difference. OpenBSD's code has an extensive audit process and I think their OS is first-rate. I wasn't meanting to disparage OpenBSD at all.
By gotroot () on
take a look at it cool stuff
By Sub--Zero () subzero@xena.utcluj.ro on mailto:subzero@xena.utcluj.ro
Happy hacking ,
Sub--Zero
By AnotherAnonymous () on
By Dichque () dichque@indiatimes.com on mailto:dichque@indiatimes.com
http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html
By Anonymous Coward () on